Legal
Privacy Policy
This Privacy Policy explains how [LEGAL NAME] ("Denti", "we", "us"), a company registered in Kosovo (reg. no. [REG NO], [REGISTERED ADDRESS]), collects and processes personal data. It is written to meet the EU General Data Protection Regulation (GDPR) and Kosovo's Law No. 06/L-082 on Protection of Personal Data, so it applies equally to clinics in Kosovo, Albania, and the EU.
Patient data — who is responsible. When a clinic uses Denti, the clinic is the data controller of its patients' data and Denti is only the data processor, acting on the clinic's instructions. Our handling of patient data is governed by our Data Processing Agreement. This Privacy Policy describes data for which Denti itself is the controller — i.e. clinic staff accounts and website visitors.
1. Data we collect
- Account & clinic data: name, email, role, password (hashed), clinic name and profile, and billing details.
- Usage & technical data: IP address, device/browser information, and operational/security logs needed to run and protect the service.
- Communications: messages you send us (e.g. support).
- Patient data: processed only on behalf of clinics under the DPA — never for our own purposes.
2. Why we process it (lawful bases)
- Contract — to provide the service, accounts, billing, and support.
- Legitimate interests — to secure the platform, prevent abuse, and improve the product (balanced against your rights).
- Legal obligation — accounting, tax, and lawful requests.
- Consent — where required (e.g. non-essential cookies); withdrawable at any time.
3. Where your data is stored
🇩🇪 All data is hosted in German datacenters (Hetzner Online GmbH), entirely within the European Union and under GDPR. It does not leave the EU.
4. Who we share it with
We do not sell personal data, and we never share one clinic's data with another clinic. We use a small number of vetted sub-processors strictly to operate the service — see our Sub-processor list. We may disclose data where legally required.
5. How long we keep it
We keep account and clinic data for as long as your account is active. On termination, clinic data is exported to you (CSV/Excel) and then deleted from our systems within the retention window set out in the DPA. Some records may be retained longer only where law requires (e.g. tax).
6. Your rights
Under the GDPR you may request: access, rectification, erasure, restriction, portability, and to object to processing, and to withdraw consent. To exercise these, contact privacy@denti.app. You also have the right to lodge a complaint with your supervisory authority (in Kosovo, the Information and Privacy Agency).
If you are a patient, please contact your dental clinic — they are the controller of your record; we will assist them in fulfilling your request.
7. Security
We protect data with TLS encryption in transit, hashed passwords, role-based access control, optional two-factor authentication, audit logging, tenant isolation, and EU-only hosting. See the DPA for the full list of technical and organizational measures.
8. Cookies
We use only essential cookies. See our Cookie Policy.
9. Changes
We may update this policy; material changes will be notified and the version/date above updated.
10. Contact
[LEGAL NAME] · privacy@denti.app · [REGISTERED ADDRESS]